Connectivity Guide
Congure RADIUS over TLS authentication server
OS10(config)# radius-server host 1.2.4.5 tls security-profile radius-prof key radsec
OS10(config)# radius-server retransmit 10
OS10(config)# radius-server timeout 10
TACACS+ authentication
Congure a TACACS+ authentication server by entering the server IP address or host name. You must also enter a text string for the key
used to authenticate the OS10 switch on a TACACS+ host. The Transmission Control Protocol (TCP) port entry is optional.
TACACS+ provides greater data security by encrypting the entire protocol portion in a packet sent from the switch to an authentication
server. RADIUS encrypts only passwords.
• Congure a TACACS+ authentication server in CONFIGURATION mode. By default, a TACACS+ server uses TCP port 49 for
authentication.
tacacs-server host {hostname | ip-address} key {0 authentication-key | 9 authentication-key
| authentication-key} [auth-port port-number]
Re-enter the tacacs-server host command multiple times to congure more than one TACACS+ server. If you congure multiple
TACACS+ servers, OS10 attempts to connect in the order you congured them. An OS10 switch connects with the congured TACACS
+ servers one at a time, until a TACACS+ server responds with an accept or reject response.
Congure global timeout setting allowed on TACACS+ servers. By default, OS10 times out after ve seconds. No source interface is
congured. The default VRF instance is used to contact TACACS+ servers.
NOTE
: You cannot congure both a non-default VRF instance and a source interface at the same time for TACACS+
authentication.
• Congure the global timeout used to wait for an authentication response from TACACS+ servers in CONFIGURATION mode, from 1 to
1000 seconds; the default is 5.
tacacs-server timeout seconds
• (Optional) Specify an interface whose IP address is used as the source IP address for user authentication with a TACACS+ server in
CONFIGURATION mode. By default, no source interface is congured. OS10 selects the source IP address of any interface from which
a packet is sent to a TACACS+ server.
NOTE
: If you congure a source interface which has no IP address, the IP address of the management interface is
used.
ip tacacs source-interface interface
• (Optional) By default, the switch uses the default VRF instance to communicate with TACACS+ servers. You can optionally congure a
non-default or the management VRF instance for TACACS+ authentication in CONFIGURATION mode.
tacacs-server vrf management
tacacs-server vrf vrf-name
Congure TACACS+ server
OS10(config)# tacacs-server host 1.2.4.5 key mysecret
OS10(config)# ip tacacs source-interface loopback 2
Congure TACACS+ server for non-default VRFs
OS10(config)# ip vrf blue
OS10(conf-vrf)# exit
OS10(config)# tacacs-server vrf blue
View TACACS+ server conguration
OS10# show running-configuration
...
tacacs-server host 1.2.4.5
key 9
3a95c26b2a5b96a6b80036839f296babe03560f4b0b7220d6454b3e71bdfc59b
ip tacacs source-interface loopback 2
...
792
Security